Evernote resets user passwords after being hit by “coordinated” hack

Breach exposes cryptographically hashed and salted passwords.

Evernote is requiring each of its 50 million users to reset their login credentials after the site's security team detected a security breach that exposed password data and other personal information.

In a security notice published Saturday, Evernote said the precautionary password reset came after an investigation found no evidence of any stored content being accessed, changed, or lost. The advisory also stated that payment information wasn't accessed. However, Evernote warned that user information—including usernames, cryptographically protected passwords, and e-mail addresses—were accessed. "Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption," the statement noted. "(In technical terms, they are hashed and salted.)"

Evernote's decision to cryptographically hash and salt this information is important in the wake of this digital break-in, because the technique makes the information slightly more time-consuming to crack. That can buy a security team time in the hours or days following the discovery of a breach. (For a more detailed explanation of the techniques, see Ars Security Editor Dan Goodin's feature "Why passwords have never been weaker—and crackers never been stronger.") Despite the precaution, Evernote's decision to reset all the passwords remains a necessary precaution.

Users can reset their Evernote account passwords by signing in then following the automated prompt. The site will also be releasing updates to several of their apps to help ease this password change process. As a final friendly reminder, Evernote re-emphasized a few common best practices for users when it comes to their future passwords:

Avoid using simple passwords based on dictionary words

Never use the same password on multiple sites or services

Never click on ‘reset password’ requests in e-mails—instead go directly to the service

Could Ars please press Evernote for more specific information about what kind of hashing or encryption they use to store passwords? I've commented on their blog and their Facebook page asking for more transparency but have yet to receive any reply.

These are great examples of transparency in password storage - I'd love to see more like that. It would behoove Evernote to be completely transparent about their expected rate-of-compromise of passwords. Every analysis should include an "expected cost per password crack, with EC2 GPU instances costing X per day".

Did they say which one way encryption they were using? If not, it might have been a bad one.

southcutt wrote:

Could Ars please press Evernote for more specific information about what kind of hashing or encryption they use to store passwords?

One-way means it's a hash, and if they won't say then it probably wasn't an adaptive one proper for passwords but a basic integrity cryptographic hash like SHA-2.

xizar wrote:

kperrier wrote:

Password changed! Not that I am that worried, that was the only site I used that 16 character password for. I <3 LastPass.

What happens when LastPass gets hacked?

Nothing. Like any good password manager (or secure data service period), AFAIK 1Pass, LastPass, KeePass etc all do encryption client-side.

Quote:

Or, more simply, your forget that password?

Can be dealt with via any number of ways, including writing it down and sticking it in a safe. The vast, vast, vast majority of threats for the average user are purely remote. If someone cares enough to do a skilled, targeted physical attack against you in particular you've got bigger things to worry about. LastPass also has limited support for multifactor auth, although sadly only in the form of YubiKey I believe. Still, it's something.

Quote:

I'm not saying things like LastPass are a bad idea, I'm just more comfortable with a CorrectHorseBatteryStaple paradigm for my passwords.

You might be more comfortable but it's less secure and less flexible. Not that passwords in general are a good idea but regrettably it's what we've got to work with.

What happens when LastPass gets hacked? Or, more simply, your forget that password?

All of LastPasses encryption is done locally using multiple one-way hash functions. If hackers got into LastPass' servers, they still wouldn't get your master password because even Lastpass doesn't know it.

As far as forgetting your password...you're kinda screwed in any scenario with that one, aren't you? Regardless, most sites offer password retrieval and as long as you used valid contact info, you'd just have to start a new LastPass account after resetting passwords on all your sites.

I just happened to pop open my Evernote iphone app today and my password was rejected. I had no idea about this situation, and assumed I had changed the password and forgot to pay attention. There was no mention of issue. When I reset it, I intended to set it to what I already thought it was, which means I would've set it right back to whatever the hackers might eventually get access to (decryption difficulties aside). Seems to defeat the purpose of the reset if they don't also say "hey, set your password to something new".

I hate having to change passwords, but good stuff Evernote - going through and changing the password on my computer and three devices is preferable to someone getting access to my stuff.

Now I just have to figure out how to update the password in their Android app. (Refer edit 2, below).

So were email addresses encrypted?

Edit: Based on the Evernote notice, it does not appear that email addresses were encrypted. So presumably the addresses are now for sale to various spammers (if the black hats don't intend to use them for phishing attacks - since they already know the listed individuals use Evernote).

Edit 2: To change the password in the Android app (after you have changed it on the web), an Evernote discussion informed me to log out on the device and then log back in. This worked for me.

What happens when LastPass gets hacked? Or, more simply, your forget that password?

Then you change your LastPass master password, and all the data stored with your LastPass account (passwords, notes, whatever) gets re-encrypted (AES-256) with a new, strong key (derived from your master password via up to 200,000 iterations of PBKDF2/SHA-256) on your local machine before being transmitted over SSL to LastPass's servers.

In other words, by changing your master password, you've changed every single byte of the data LastPass stores for you.

And since I use LastPass to store >95% of my account credentials, I use that master password at least daily. Forgetting it would be nigh impossible. That's the whole point: The master password is the only one you have to remember, so even if it's long and complicated, remembering it is relatively easy.

And since I use LastPass to store >95% of my account credentials, I use that master password at least daily. Forgetting it would be nigh impossible. That's the whole point: The master password is the only one you have to remember, so even if it's long and complicated, remembering it is relatively easy.

I use the same password for work, which I have to change every 90 days, so if I forget it I am really screwed anyway.

lastpass you need Premium to use it on android and blackberry was quite funny the silly passwords i had stored in my browsers when imported my passwords into lastpass, any way all are now all random in keypass and what ever the password limit on the site is (that is if they State the limit, i looking at you ars please at least do the basic thing and put a bit of Text box stating the password length limit, it take like 1-2 mins to do)

but i used keypass as it allows blackberry android and PC/mac syncing using dropbox (password+keyfile that is Not stored on dropbox or the pc ever)

my blackberry takes about 100 seconds to open my password file due the the high rounds (5000000) and you must use keypass 1.20 as KeePassBB cant open any files after that (keypass 2 was read only at the time on android app and KeePassBB2 never worked)

the blackberry keypass project is quite dead thought (even the host is no longer active dead page but domain name has been paid for at the end of last year), well that seems to match the dying death of BlackBerry in general to bad really as i like BlackBerry For business phone any way as i have an android phone for backup and that's my fun phone

Not that passwords in general are a good idea but regrettably it's what we've got to work with.

Yep, I saw an (the?) article late in 2012 (I believe it was) about the obsolescence of passwords. But the fellow who wrote it didn't come up with an alternative... or suggest how long it'd take for an alternative to go mainstream. I'd truly welcome another way.

I'm not a lastpass (or other password generator) user, and so yes, call me stoopid. (I hear you.) In many cases (like FTP passwords shared with clients) it's just not always convenient. Creating unique long convoluted passwords for all these many websites is beginning to be a stretch on my pea brain's imagination.

These are great examples of transparency in password storage - I'd love to see more like that. It would behoove Evernote to be completely transparent about their expected rate-of-compromise of passwords. Every analysis should include an "expected cost per password crack, with EC2 GPU instances costing X per day".

I received this email from Evernote and assumed it was a phishing attack. These evernote system administrators are very much out of their depth if they believe it was a good idea to send an email to their users asking them to visit:

and reset their password. Seriously, that was the link in the email (with some extra identifying parameters on the end). They want me to visit some third party website (possibly hosted in Nigeria) and type in my password to reset it. Yes, that is such a good way to deal with a security breach.

When I saw this article on Ars, I realised this must be some marketing email tracking system they use. Perhaps Evernote need a lesson on the difference between marketing and security.

Could Ars please press Evernote for more specific information about what kind of hashing or encryption they use to store passwords? I've commented on their blog and their Facebook page asking for more transparency but have yet to receive any reply.

Evernote uses MD5 with a salt for their user passwords. The comment thread as to why they do this is worth reading, but here's the meat:

Could Ars please press Evernote for more specific information about what kind of hashing or encryption they use to store passwords? I've commented on their blog and their Facebook page asking for more transparency but have yet to receive any reply.

Evernote uses MD5 with a salt for their user passwords. The comment thread as to why they do this is worth reading, but here's the meat:

Could Ars please press Evernote for more specific information about what kind of hashing or encryption they use to store passwords? I've commented on their blog and their Facebook page asking for more transparency but have yet to receive any reply.

Evernote uses MD5 with a salt for their user passwords. The comment thread as to why they do this is worth reading, but here's the meat:

MD5 is a cryptographic hash algorithm -- it's designed to be FAST, and the hardware of today can run millions of MD5 calculations a second without breaking a sweat. If you're using anything that's numbers and letters only and less than 8 characters, then crackers can reuse that password elsewhere.

I would also have recommended that if you used the same password for Evernote and your email service, then to change email password (to something complete unique and unused elsewhere) because once those hackers decrypt the hashed passwords, they will have access to mail and may then take over mail account and use that to reset Passwords for other systems.

I also assume many people store some kind of password list on their Evernote storage (not everyone is security minded) - that would be manna from heaven to attackers.

I personally use the cloud, but only put data that I would be ok with losing/compromising. Everything else is on locally encrypted disks and storage . We have a long way to go ...

Could Ars please press Evernote for more specific information about what kind of hashing or encryption they use to store passwords? I've commented on their blog and their Facebook page asking for more transparency but have yet to receive any reply.

Evernote uses MD5 with a salt for their user passwords. The comment thread as to why they do this is worth reading, but here's the meat:

MD5 is a cryptographic hash algorithm -- it's designed to be FAST, and the hardware of today can run millions of MD5 calculations a second without breaking a sweat. If you're using anything that's numbers and letters only and less than 8 characters, then crackers can reuse that password elsewhere.

Now if I see that lastpass is updated, I'll at least have the option of checking whether there is an official-looking announcement and of checking whether anyone has reported catching it upload anything improperly.

Since Evernote (according to themselves) uses a long salt, rainbow tables are out.

MD5 collision attacks makes it easier to find collisions, but not to find the original password. However, if you were only interested in the single site, it might help you to get it. But, on this type of MD5 use, you probably wont find a collision anyway.

MD5 is a cryptographic hash algorithm -- it's designed to be FAST, and the hardware of today can run millions of MD5 calculations a second without breaking a sweat. If you're using anything that's numbers and letters only and less than 8 characters, then crackers can reuse that password elsewhere.

I'm sorry, but this is rubbish.

Salting (when done properly, which it appears Evernote has done) renders rainbow attacks useless. They can still use brute-force but even with MD5, which as you mentioned is quite fast, takes a very long time if you've not used some dictionary word.

Yes, it's still good to change your passwords. No, it's not "plain text" or anything remotely close to it.

If a cloud-based service such as this had been hacked in such a way that users' content may have been compromised, do you really think they would tell you? Given that their entire business proposition would be irreparably damaged, I suspect they would announce only the passwords had been compromised, then hope for the best. In fact, their duty to defend their backers investment would demand such a response.

There are also a number of other two-factor methods they have integrated, although that one is definitely the best for people like me who use two-factor on Google.

(In other words: Thanks! Given how much stuff I have on Lastpass, having two-factor in place is Good)

I have no idea how the Lastpass mechanics work inside, but I'm wondering how two-factor helps here. Two factor is an authentication scheme. It won't and can't help encrypt or decrypt your passwords. So either, lastpass encrypts your data with your password, then the two-factor is just a placebo, or they store the decryption key on their side, which would make it insanely prone to attacks. Am I missing something here?

So, the way I understand it is that the Hash is like applying a f(x) to a password but once this f(x) is compromised all passwords are compromised, hence the requirement of "Salting", kind of randomization of the Hash so the cracked/compromised f(x) cannot be used to gain critical information to accounts of said stolen database.

I think its important to note that - its no longer time consuming to hack. Ars have posted more then enough articles showing that the GPU hack can greatly reduce the time to break a password.

If you're after ONE password hashed with MD5 (salt or not), a GPU-cluster will brute-force it quickly. If they were after a (few) specific account(s), they would have probably trod more lightly as to avoid detection. So I think it's probable that the hackers were after a simple db dump.

If you have a dump of a few million passwords however, you're still looking at a few millenia in computing time of brute force.

Thus the hackers will most likely just be running a small dictionary attack (few thousand words) on their loot to expose the 80% of weak passwords. They will then try the discovered user-pass-combos on sites of interest, like PayPal or GMail. Because users with weak ass password are likely to reuse their credentials everywhere and users with strong passwords that take a lot of time to crack are probably using unique ones everywhere. No reward.

That's why you should at least use unique user-pass-combos on important sites. The most important being 1. your e-mail accounts, identiy theft is not funny and if they lock you out of a primary account they can lock you out of pretty much everything else (depending how you handle this stuff)2. PayPal, as they don't require two-factor-auth for transactions, which is quite shocking to me.3. Social network logins, again for the identity theft.

For stuff like web forums, at least use different usernames with the same password. Not only does it make automated login attempts for spamming more unlikely. It also provides a layer of anonymity, as a positive ID on one forum doesn't expose your whole life's commenting history to Google.

There are also a number of other two-factor methods they have integrated, although that one is definitely the best for people like me who use two-factor on Google.

(In other words: Thanks! Given how much stuff I have on Lastpass, having two-factor in place is Good)

I have no idea how the Lastpass mechanics work inside, but I'm wondering how two-factor helps here. Two factor is an authentication scheme. It won't and can't help encrypt or decrypt your passwords. So either, lastpass encrypts your data with your password, then the two-factor is just a placebo, or they store the decryption key on their side, which would make it insanely prone to attacks. Am I missing something here?

It seems mostly about account access to download the encrypted file, rather than a second level of encryption on the actual data. After all, you can provide exceptions for mobile devices (I had to, with my phone) and it doesn't need to re-encrypt the data to do so.

The blog post on evernote is quite fun in the light of recent events :

Quote:

Our password salting algorithm is significant enough that I’m not particularly worried about the risk of someone:(A) getting a copy of our entire User database and then(B) doing matches against another canned password database to get exact matches.

Or, to phrase it more precisely: We need to provide a lot of protection and attention against “(A)”, because someone who does this has penetrated through several layers of security and accessed a key database. That’s something we spend a lot of time thinking about. Protecting against “(A)” involves lots of boring work for things like: software patches, access control policies, physical security, etc.

While it’s worth mitigating against “(B)”, as we have, I think that this is really far down on the list of real-world security risks. But crypto stuff is always more fun to talk about than the boring stuff, and therefore tends to garner more attention from geeks like myself. That’s probably why there have been 3 comments about the “MD5″ algorithm and none about “how do you keep bad guys from logging into your servers?”

Still, if the hash was long enough, if I understood well the article from Ars on this, after 8-9 chars it becomes very long to comnpute all possible values.

This being said, I changed my Evernote password to a long password (above 20 char), that I can remember (I followed the XKCD approach ).I use 1password, but I cannot use it at work (cannot install it) so using long purely random password is not practical, so it helps me for password I don't use frequently

I received this email from Evernote and assumed it was a phishing attack. These evernote system administrators are very much out of their depth if they believe it was a good idea to send an email to their users asking them to visit:

and reset their password. Seriously, that was the link in the email (with some extra identifying parameters on the end). They want me to visit some third party website (possibly hosted in Nigeria) and type in my password to reset it. Yes, that is such a good way to deal with a security breach.

When I saw this article on Ars, I realised this must be some marketing email tracking system they use. Perhaps Evernote need a lesson on the difference between marketing and security.

Direct paste from my evernote reset email, emphasis mine:

Quote:

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:Avoid using simple passwords based on dictionary wordsNever use the same password on multiple sites or servicesNever click on 'reset password' requests in emails - instead go directly to the serviceThank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.

The Evernote Team

There are 3 links in the email - 2 go to Evernote.com directly, 1 goes to Evernote support. Ars's original quote contains the same line about never clicking on 'reset password' emails. Sounds like you got a legit phishing email. Now would be a good time for spammers to email everyone with phishing sites that look like Evernote.

Seems to me if they were really serious about security, they wouldn't be limiting the character set I can use for my password. Limitations like this are carried over from decades ago - always disappointing and discouraging to see them used in any modern application.